b'                                            AR 05-066\n\n\n\n\n             Office of Inspector General\n\n\n\n\nReview of Federal Information Security Management Act\n   Corrective Actions for July 2004 \xe2\x80\x93 March 31, 2005\n\x0c                                     FEDERAL TRADE COMMlSSION\n                                       WASHINGTON, D. C. 20580\n     OFFICE OF\nINSPECTOR GENERAL\n\n\n\n\n TO:                Stephen Warren\n                    chief Information Officer\n\n FROM:              Howard L. Sribnick ,,,;,/\n                    Inspector General ./\n\n SUBJECT:           OIG Review of Corrective Actions Reported to OMB (AR 05-066)\n\n\n The Office of Inspector General (OIG) completed its review of the Federal Trade Commission\'s (FTC)\n Plan of Action & Milestones (POA&M) submission 60 the Office of Management and Budget (OMB) for\n the 4" Quarter of Fiscal Year (FY) 2004 through the 2" Quarter Fiscal Year (FY) 2005. The purpose of\n this review was to evaluate Information & Technology Management\'s (ITM) progress in correcting\n weaknesses identified in previous Government Information Security Reform Act (GISRA), Federal\n Information Security Management Act (FISMA) and agency-sponsored security reviews.\n\n A POA&M is the authoritative and comprehensive agency management mechanism used to prioritize,\n track, and manage all agency efforts to close security performance gaps. In addition to identifying tasks\n that need to be accomplished, it also details resources required to accomplish the elements of the plan,\n any milestones in meeting the task and scheduled completion dates for the milestones. POA&Ms are\n used, in part, as a basis for OMB\'s assessment of agency IT security status as part of the President\'s\n Management Agenda Scorecard under the e-Gov score.\n\n\n FY 2004 POA&M Overview\n\n For the first three quarters of FY 2004, the OIG reviewed ITM submissions to OMB as part of its FY\n 2004 FISMA reporting. The results of this review are included in the OIG FISMA report (AR 04-06 1).\n The OlG concluded that ITM made significant progress in improving its POA&M management program.\n Most significantly, ITM implemented an OIG recommendation to track all significant weaknesses fiom\n other security reviews and studies as well as fkom FISMA evaluations. This ensures that the universe of\n security weaknesses are identified and tracked on one document in keeping with OMB requirements.\n ITM also improved its POA&M recording, tracking, correcting and reporting processes, and its\n methodology for recording changes to milestones and corrective actions.\n\n The OIG and ITM continued to work together to review completed corrective actions on a quarterly basis\n to confirm that remedial actions addressed the identified vulnerabilities.\n\x0cFY 2005 POA&M Review\n\nThe scope of the current review covers the 4th quarter of FY 2004, and the 1st and 2nd quarters of FY 2005\n(July 1, 2004 \xe2\x80\x93 March 31, 2005). During this period, ITM identified 127 weaknesses: During the same\nperiod, ITM closed 36 weaknesses from this and prior periods. The OIG reviewed these closed items and\nthe actions taken by ITM to close them. The results of this review are presented below. The OIG\nconcurred with ITM\xe2\x80\x99s disposition of these 36 items based on information provided by ITM and\nindependent verification by OIG\xe2\x80\x99s IT auditors when applicable. 1\n\n\nReview Methodology\n\nTo verify that actions taken by ITM addressed the identified vulnerability, the OIG reviewed completed\nmilestones, policies, and other related documents and, when possible, used screen captures and conducted\nwalk-throughs to confirm that corrective actions were effective. The review team also interviewed\npersonnel implementing the corrective actions. The completed actions and the OIG\xe2\x80\x99s analysis are\npresented below.\n\n\nRecommendations\n\nAlthough the primary focus of this document is to confirm that corrective actions reported to the Office of\nManagement and Budget were implemented, the OIG also made three recommendations to strengthen\ncorrective actions made by ITM or to address vulnerabilities not specified on the POA&M that are related\nto the corrected POA&M item. Each recommendation appears within the specific POA&M writeup.\n\n\nReview Results\n\nWeakness 1: Certify and accredit seven (7) major applications (MA) and the general support\nsystem (GSS)\n\nSource: FY03 OIG Review\n\nITM Actions: ITM completed certification & accreditation (C&A) packages for all major applications\nand general support systems.\n\nOIG Analysis: OIG reviewed C&A packages for the following systems:\n\n    \xe2\x80\xa2   Do Not Call (DNC)\n    \xe2\x80\xa2   e-Premerger\n    \xe2\x80\xa2   Documentum\n    \xe2\x80\xa2   Matter Management System (MMS)\n    \xe2\x80\xa2   Consumer Information System (CIS)\n    \xe2\x80\xa2   Federal Financial System (FFS)\n    \xe2\x80\xa2   Infrastructure\n\n\n\n1\n  ITM reported 36 closed POA&Ms items to OMB during the period of review. The OIG determined that many\nPOA&M items were identified twice by ITM to facilitate internal tracking. The OIG chose to identify each item\nonce, resulting in 24 unique POA&M items identified and reviewed in this report.\n                                                    -3-\n\x0c      The Department of the Interior (DOI) owns FFS and is, therefore, responsible for certifying and\n      accrediting that system. The FTC relied this year on an SAS-70 report provided by DOI OIG for security\n      assurances. 2\n\n      During the prior year review, the OIG reviewed the C&A package provided to the FTC by the\n      Department of Interior\xe2\x80\x99s OIG (without the risk analysis). The following table lists the key documents\n      found in the C&A package.\nSystem Name       System      Risk       Security    C&A       ST&E or        POA&M         Privacy        C&A        Self-   MOU\n                   Type    Assessment      Plan              Vulnerability   (Required)     Impact        Letters    Assess\n                           (Required)   (Required)              Report                    Assessment    (Required)   -ment\n                                                              (Required)                  (If Needed)\nDocumentum         MA          9            9         9           9             9                           9\nFFS                MA          9            9         9           9          9 (FTC)                        9          9\nMMS                MA          9            9         9           9             9                           9\nCIS                MA          9            9         9           9             9             9             9\ne-Premerger        MA          9            9         9           9             9             9             9\nDo Not Call        MA          9            9         9                         9                           9                 9\nInfrastructure     GSS         9            9         9           9             9                           9\n\n      The OIG noted that the DNC C&A package did not include a System Test and Evaluation (ST&E). 3\n      FTC\xe2\x80\x99s C&A policy states that the C&A should contain the following documents:\n\n          \xe2\x80\xa2      Security Test & Evaluation (Emphasis added)\n          \xe2\x80\xa2      Risk Assessment\n          \xe2\x80\xa2      System Security Plan\n          \xe2\x80\xa2      Privacy Impact Assessment\n          \xe2\x80\xa2      Plan of Action & Milestones\n          \xe2\x80\xa2      Certifier\xe2\x80\x99s Statement\n\n      The National Institute of Science and Technology (NIST) Special Publication (SP) 800-37, Guide for the\n      Security Certification and Accreditation of Federal Information Systems, does not specifically require an\n      ST&E for accreditation; only that the C&A package contain the following documents:\n\n          \xe2\x80\xa2      Approved System Security Plan\n          \xe2\x80\xa2      Risk Assessment\n          \xe2\x80\xa2      Plan of Action & Milestones\n\n      SP 800-37 also states that appendices in the security plan may contain other key security-related\n      documents such as privacy impact assessments, contingency plans, incident response plans, configuration\n      management plans, security configuration checklists, and any system interconnection agreements. ITM\n      representatives also stated that Telos is in the process of conducting the ST&E for DNC.\n\n      As NIST 800-37 does not specify the content of an ST&E, and since ITM is performing a more\n      comprehensive ST&E in FY 2005 of the DNC contractor, the OIG accepts ITM\xe2\x80\x99s disposition of this item.\n\n      OIG Status: Closed\n\n\n      2\n        A Statement of Accounting Standards (SAS) 70 report presents the results of security control reviews for\n      organizations providing services to other agencies, organizations, groups, etc. System controls are evaluated by an\n      independent reviewer and provided to these \xe2\x80\x9ccustomers.\xe2\x80\x9d\n      3\n         The package contained a vulnerability scan. ITM has informed the OIG that it will rely solely on vulnerability\n      scans alone in future ST&Es.\n                                                           -4-\n\x0cWeakness 2: Conduct risk assessments on all MA\xe2\x80\x99s and the GSS\n\nSource: FY03 OIG Review\n\nITM Actions: ITM completed risk assessments for all MAs and GSS in its domain. (Note: FFS is not in\nthe FTC domain.).\n\nOIG Analysis: OIG reviewed C&A packages for FTC\xe2\x80\x99s major applications and its general support\nsystem. Risk assessments were found for the following systems:\n\n    \xe2\x80\xa2   Do Not Call (DNC)\n    \xe2\x80\xa2   e-Premerger\n    \xe2\x80\xa2   Documentum\n    \xe2\x80\xa2   Matter Management System (MMS)\n    \xe2\x80\xa2   Consumer Information System (CIS)\n    \xe2\x80\xa2   Federal Financial System (FFS)\n    \xe2\x80\xa2   Infrastructure\n\nOIG Status: Closed\n\n\nWeakness 3: FTC.BUY \xe2\x80\x93 Password stored in clear text\n\nSource: Agency Review\n\nITM Actions: FTC.BUY is an \xe2\x80\x9coff the shelf\xe2\x80\x9d procurement package with modifications tailored to FTC\nrequirements. User passwords are encrypted and are now required to be changed at least every 90 days.\nHowever, the Oracle database access password and user ID are not hidden. Rather they are identified in\nclear text in a system file. The password and user ID control access to the procurement program files and\nmust be readable to track user access. All users have access to this file, but do not know in which file the\npassword / user ID is embedded and the location within the file. ITM noted that the application was put\ninto place before the FTC\xe2\x80\x99s password policy was implemented.\n\nAccording to a memorandum from the Chief Information Security Officer to the Chief Financial Officer\n(CFO) dated August 2004, ITM accepted the risk of storing passwords in clear text.\n\nOIG Analysis: The OIG believes that the factors surrounding the existence of the clear text password\nmitigate many of its risks. An individual would have to know where to go (which file) and what to look\nfor before he/she could exploit the system. In FY2007, the entire system, including the FTC.BUY\ncomponent, will be upgraded and/or replaced. ITM told the OIG that no software will contain clear text\npasswords. The OIG does not believe that it would be an efficient use of resources to make significant\nmodifications to this system given its life expectancy.\n\nOIG Status: Closed\n\n\n\n\n                                                  -5-\n\x0cWeakness 4: Some PCs attached to FTC network have analog phone lines and modems, which may\nbypass FTC security\n\nSource: VeriSign War Dialing (External Penetration Test)\n\nITM Actions: ITM developed an Analog Lines Policy ITM-2004-16 that states:\n\n    \xe2\x80\xa2   FTC-issued workstations with modems connected to analog lines at FTC facilities shall only be\n        allowed to dial-out. Dialing in is not permitted.\n    \xe2\x80\xa2   Fax machines are permitted to have dial-out and dial-in capabilities.\n    \xe2\x80\xa2   The Chief Information Security Officer must approve requests for new analog lines for\n        workstations with modems.\n\nITM maintains a list of fax and modem lines.\n\nOIG Analysis: The OIG reviewed an ITM-provided list of fax and modem lines. To confirm that analog\nlines were programmed not to accept incoming calls, three modem phone numbers attached to the FTC\nnetwork were dialed to determine if the modem would accept the call. The numbers called were\nassociated with the library and the financial management system. The OIG verified that these lines did\nnot pick up incoming calls.\n\nHowever, the OIG noted other modems attached to applications connected to the network that require\ndial-in capability (e.g., Pitney Bowes system). These systems with dial-in access are not documented.\n\nOIG Status: Closed\n\n\nNotwithstanding the actions taken by ITM to addresses the observed vulnerability, the OIG believes that\nITM should track and monitor all modems and applications that allow dial-in access. The OIG\nrecommends that:\n\nRecommendation 1: ITM develop and document security controls for modems and systems requiring\ndial-in access. Security controls should, at a minimum, include:\n\n    \xe2\x80\xa2   Limiting access through management, operational, and technical controls\n    \xe2\x80\xa2   Documenting the phone numbers, locations and POC\'s for modems and applications allowing\n        dial-in access; and\n    \xe2\x80\xa2   Monitoring modem usage and investigating suspicious activity.\n\n\nWeakness 5: Policy and procedures to secure electronic data in regional offices are needed.\n\nSource: Agency Review\n\nITM Actions: ITM included procedures for securing electronic data at FTC regional offices in the Office\nof Information and Technology Management Central Computer Systems & PBX Disaster Recovery Plan\n(DRP). According to the DRP, backup tapes are shipped off site to a tape storage facility on a weekly\nbasis. The DRP identifies the storage sites and contact information for FTC headquarters and each of the\nregional offices. ITM also provided the OIG a copy of the Regional Office off-site storage procedures.\n\n\n\n\n                                                -6-\n\x0cOIG Analysis: The OIG verified that the policy and procedures on securing electronic data are\ndocumented in the DRP. The OIG also reviewed procurement-related documentation for the use of the\nstorage facility and a copy of the regional office storage procedures.\n\nOIG Status: Closed\n\n\nWeakness 6: Security of home PCs connecting to FTC networks\n\nSource: Agency Review\n\nITM Actions: The FTC Remote Access Policy ITM-2004-11 provides instructions on what users must do\nto request access to FTC assets. The policy identifies remote access: (i) connection options and\nrestrictions, (ii) training and Security Token responsibilities, (iii) security requirements and security\nscanning and incident response, and (iv) privacy, acceptable use and the enforcement of security controls.\n\nUsers are required to sign a remote access acknowledgement form that identifies the rules that remote\naccess users must follow. Remote access is discussed in ITM annual security awareness training.\n\nThe Chief Information Security Officer issued a memorandum to regional administrative officers\nregarding new procedures for providing new employees with their passwords. These guidelines require\nemployees to review a security slide show presentation and to read and sign a network access\nacknowledgement form before they receive their passwords. The signed form must be faxed to the Help\nDesk with 24 hours of acknowledgement. The Operations Assurance branch maintains forms with\noriginal signatures.\n\nThe Remote Access Securid Tokens document provides users with instructions for requesting remote\naccess and returning tokens.\n\nOIG Analysis: The OIG determined that the Remote Access policy, the Remote Access Securid Tokens\ndocument, and FTC Forms 730 (Remote Access Acknowledgement form) and 731 (Network\nAcknowledgement form) validate that there are documented policies and procedures for requesting and\nmanaging remote access. The OIG confirmed that FTC follows these policies and procedures by\nvalidating that both forms (730 & 731) are signed and dated by remote users. Form 730 includes the user\nname, user signature, token number, and date signed. Form 731 includes the user name and signature,\ndate of training, and the date signed. These corrective actions effectively mitigate this vulnerability. The\nOIG also inspected a SecurID token and noted that the expiration date is recorded on the back of the\ntoken. OIG also obtained and reviewed purchase documentation for the SecurID tokens.\n\nOIG Status: Closed\n\n\nWeakness 7: Peer-to-Peer file sharing applications on FTC\xe2\x80\x99s PCs\n\nSource: Agency Review\n\n\n\n\n                                                  -7-\n\x0cITM Actions: The FTC Administrative Manual, Ch. 550, Information Technology Usage Policies and\nPractices states that:\n\n    1. A. Internet Access. Internet access provided by the FTC is intended primarily for work-related\n    purposes. To the extent possible, users should be aware of an Internet site\xe2\x80\x99s primary information\n    content prior to connecting to it. It is the user\xe2\x80\x99s responsibility to exercise good judgment when\n    accessing Internet sites and to avoid sites that are inappropriate for use by an FTC user. For example,\n    Internet sites containing sexually explicit, sexually oriented, gambling or related material shall not\n    knowingly be accessed using FTC computer resources, except for law enforcement purposes. Users of\n    FTC-provided computer equipment are not allowed to download or use peer-to-peer file exchange\n    software such as Kazaa or Morpheus. Instances of such software will be removed when detected by\n    ITM.\n\nAdditionally, FTC annual security awareness training informs users that peer-to-peer software is not\npermitted on FTC devices. According to notes included in the POA&M package, the FTC Intrusion\nDetection System (IDS) identifies and removes any peer-to-peer software it finds during scans.\n\nOIG Analysis: The OIG reviewed the guidance found in Administrative Manual Sec.550 and the FTC\nannual security awareness training and confirmed that policy and training prohibit the use of peer-to-peer\nsoftware. The OIG also reviewed an e-mail that was generated and sent to users when unauthorized\nsoftware was found on their workstations. A closed Vantive ticket was also reviewed to confirm that\nunauthorized software is removed when discovered. 4 Review of FTC\xe2\x80\x99s annual security awareness training\nconfirmed that the prohibition of peer-to-peer software at FTC is discussed in security training. OIG also\nreceived and reviewed a copy of an eEye Digital Security invoice for the purchase of retina network\nsecurity scanner software. OIG previously confirmed the installation of the ISS Proventia security\nappliances in an earlier review. These appliances are used for intrusion detection and for network\nscanning.\n\nOIG Status: Closed\n\n\nWeakness 8: DRP vulnerabilities: Record DRP modifications, update the emergency management\ncontact list and include a line of succession for leadership.\n\nSource: FY04 OIG Independent Evaluation\n\nITM Actions: ITM is now documenting changes to the DRP on the Disaster Recovery change control\npage on a quarterly basis.\n\nOIG Analysis: Review of the September 2004 and June 2005 DRPs showed that changes to the DRP are\nrecorded. The DRP contains a Disaster Recovery change control page where changes made to the\ndocument on November 2004, pp. 40, 41; February 2005, pp. 40, 41; and March 2005, p. 9 were\nrecorded. Comparison of the 1st quarter and 2nd quarter DRPs with the final DRP validated that the DRP\nis being updated on a quarterly basis.\n\nOIG Status: Closed\n\n\n\n4\n The Vantive system is a collection of integrated applications that can be used to integrate customer support, help\ndesk, quality assurance/engineering, and remote customers.\n\n\n                                                      -8-\n\x0cWeakness 9: The Senior Agency Information Security Officer position may not be sufficiently\nindependent to act as the Certification Agent (CA)\n\nSource: FY04 OIG Review\n\nITM Actions: ITM modified the System Security Certification & Accreditation Policy (ITM-2004-02). It\nnow states that \xe2\x80\x9c\xe2\x80\xa6 the CA and any individual or organization that the CA may designate to assist in the\ncertification process, shall be independent from anyone directly responsible for the development or day-\nto-day operation of the system to be certified, and from anyone who is responsible for correcting security\ndeficiencies, if any, that may be identified by the certification process.\xe2\x80\x9d\n\nOIG Analysis: The OIG\xe2\x80\x99s review of the C&A packages found that some of the certification memoranda\nwere signed by the head of the Operations Assurance Branch, an individual with no operations role. In\nJuly 2005, the Senior Agency Information Security Officer will become the new OA branch chief. He\nwill thus have dual responsibilities. Since neither position has operations responsibilities, this personnel\nchange will not impact the independence of the certification officer.\n\nOIG Status: Closed\n\n\nWeakness 10: Master Agreement with AT&T will include relationships with outside vendors\n\nSource: AT&T Risk Assessment\n\nITM Actions: ITM received Letters of Assurance from AT&T Government Solutions, Inc., relating to\nTARGUSinfo and West Interactive.\n\nOIG Analysis: OIG reviewed the Letters of Assurance from AT&T relating to TARGUSinfo and West\nInteractive identifying the FTC security requirements for securing the DNC system. These letters provide\nassurances to FTC that the DNC security requirements are being followed at TARGUSinfo and West\nInteractive. Both ITM and OIG relied on these written assurances and did not inspect TARGUSinfo and\nWest Interactive security controls.\n\nOIG Status: Closed\n\nThe OIG believes that the agency should take some steps to assure itself that controls are in place and\nfunctioning that goes beyond a letter of assurance. This year, for example, ITM is performing an ST&E\non select AT&T facilities. While this does provide assurances, it is time consuming and expensive. One\nalternative is to request SAS 70 reports from the contractor performed by independent reviewers. SAS-70\nreports are intended to provide select AT&T customer organizations and their independent auditors with\ninformation about the control structure features of services provided by AT&T.\n\nRecommendation 2: To provide independent assurances that security controls are in place and\noperational, the OIG recommends that the FTC require AT&T to provide annual SAS 70 reports based on\nNIST 800-53.\n\n\n\n\n                                                  -9-\n\x0cWeakness 11: Complete Security Plan for Infrastructure\n\nSource: FY03 OIG Review\n\nITM Actions: ITM developed a security plan for Infrastructure.\n\nOIG Analysis: The OIG reviewed the Infrastructure security plan and confirmed that it is completed. It\ncontains all the required security plan elements.\n\nOIG Status: Closed\n\n\nWeakness 12: Conduct Security Test and Evaluations for Documentum and Infrastructure\nSource: Agency Review, OIG FY03 Audit\n\nITM Actions: ITM conducted ST&Es on Documentum and Infrastructure.\n\nOIG Analysis: Review of the documents confirmed that ST&Es were conducted for Documentum and\nInfrastructure. These ST&Es consisted of NMAP and Nessus scans.\n\nOIG Status: Closed\n\n\nWeakness 13: Configuration management on servers\n\nSource: SAIC UNIX/Oracle Assess\n\nITM Actions: ITM developed configuration management documentation to address server and desktop\nconfiguration management. These documents include:\n\n    \xe2\x80\xa2   Baseline Win2k Member Server\n    \xe2\x80\xa2   Desktop Development Standard Operating Procedures v7, September 20, 2004\n    \xe2\x80\xa2   Exchange 2000 Cluster Server Installation Checklist\n    \xe2\x80\xa2   Exchange 2000 Server (Non-Cluster) Installation Checklist\n    \xe2\x80\xa2   Best Practice Guidelines for Building and Securing a SLES 9 Server\n    \xe2\x80\xa2   Oracle Install v1 (ORACLE_Install-v1)\n    \xe2\x80\xa2   Configuration Guide for FTC Router/Switches (Router-Switch_ConfigGuide-v1)\n    \xe2\x80\xa2   Serve Build Procedures\n    \xe2\x80\xa2   Checklist for new SNAP servers\n    \xe2\x80\xa2   Best Practice Guidelines for Building and Securing a Solaris 8 Server\n    \xe2\x80\xa2   Windows 2000 Member Server Installation Checklist\n    \xe2\x80\xa2   Completed Baseline Build Documentation Check-off Sheets\n\nOIG Analysis: The OIG reviewed the configuration management documentation provided by ITM. The\nOIG also reviewed completed configuration management checklists to confirm that operations personnel\nare using the checklists when building servers. ITM is currently in the process of determining how long to\nretain and file the completed build checklists.\n\nOIG Status: Closed\n\n\n\n                                                - 10 -\n\x0cWeakness 14: Remote Administration Protocols\n\nSource: SAIC UNIX/Oracle Assess\n\nITM Actions: ITM developed, tested, and implemented remote administration protocols and processes.\nITM provided various e-mail and memorandum dated October 5, 2004, stating that the remote\nadministration protocols are implemented. ITM also provided e-mail from a Unix administrator stating\nthat remote administration protocols established for ITM are being followed and terminal server\ndocumentation.\n\nOIG Analysis: The OIG reviewed the documentation provided by ITM and confirmed that remote\nadministration protocols were implemented.\n\nOIG Status: Closed\n\n\nWeakness 15: Controls on Web mail downloads\n\nSource: Agency Review\n\nITM Actions: ITM provided a memorandum from the Chief Information Security Officer stating that,\nbased on the research conducted, there is no practical way to block the download of Web mail\nattachments to FTC desktops, while still allowing access to the Web mail itself. As a result, all web mail\nis currently blocked.\n\nOIG Analysis: OIG reviewed the memorandum and staff notices regarding the blockinig of web mail..\n\nOIG Status: Closed\n\n\nWeakness 16: FTC Web servers do not have a legal notice\n\nSource: Science Applications International Corporation (SAIC) Demilitarized Zone (DMZ) Vulnerability\nAssessment 3/5/2004\n\nITM Actions: ITM developed an FTC Web policy and posted it on the Web site.\n\nOIG Analysis: The OIG reviewed the FTC Web policy and accessed the FTC website\nhttp://www.ftc.gov/ftc/sitepolicy/index.htm. The OIG confirmed that the policy is posted on the web.\nThe policy provides guidance on:\n\n    \xe2\x80\xa2   Unauthorized access\n    \xe2\x80\xa2   Disclaimer of Endorsement\n    \xe2\x80\xa2   Data Quality Act (Section 515)\n    \xe2\x80\xa2   FTC\xe2\x80\x99s Web Publication Schedule\n    \xe2\x80\xa2   Privacy Policy\n\nOIG Status: Closed\n\n\n\n\n                                                - 11 -\n\x0cWeakness 17: FTC home user vulnerability issues\n\nSource: Unisys Infrastructure Risk Assessment 6/25/2004\n\nITM Actions: ITM has taken a number of steps to address FTC home user vulnerability issues. The Chief\nInformation Officer (CIO) issued a memorandum introducing FTC\xe2\x80\x99s new remote access policy to FTC\nstaff and contractors. An announcement identifying FTC network security requirements for new\nemployees and remote access requirements was posted in an FTC Daily dated October 8, 2004. Finally,\nFTC personnel are required to sign FTC-730 Remote Access and FTC-731 Network Acknowledgement\nforms when they are given remote access capability or access to the network.\n\nOIG Analysis: The OIG reviewed the memoranda and reviewed completed FTC Forms 730 & 731 to\nconfirm that users are signing these documents.\n\nOIG Status: Closed\n\n\nWeakness 18: The lead incident response investigator lacks forensic software identified in the\nFTC\xe2\x80\x99s Incident Response Procedures\n\nSource: Unisys Infrastructure Risk Assessment 6/25/2004\n\nITM Actions: The CIO issued a directive stating that the Incident Response Team (IRT) is to use the\nFTC Litigation Support Branch\xe2\x80\x99s forensic software to investigate security violations. ITM owns and uses\nits own copy of iLook Software. ITM has created a new contract to procure forensic services from the\nMEGA II contract. ITM plans to stop using internal resources for computer forensics work\n\nOIG Analysis: The OIG reviewed the CIO-issued directive. Additionally, e-mail from a member of the\nIRT confirmed that the team used the Litigation Support Branch\xe2\x80\x99s forensic software in one investigation.\nOIG then reviewed incident response reports to confirm that ITM had access to forensic software. ITM\nprovided two reports for events that occurred on July 22, 2004, and March 22, 2005. The reports did not\nspecifically identify iLook as a forensic tool used in the investigation, however, they did indicate that\nsecurity scanning and logging tools such as Nessus, iPrism, as well as virus and spyware detection\nsoftware are used as part of the forensic investigation.\n\nOIG Status: Closed\n\n\nWeakness 19: The incident response plan/procedures have not been tested\n\nSource: Unisys Infrastructure Risk Assessment 6/25/2004\n\nITM Actions: ITM approved an Internet Response Team policy on April 15, 2004. According to the\nOperations Assurance Branch, the procedures were not formally tested, but were proven to be effective\nthrough their implementation in response to actual incidents.\n\n\n\n\n                                                - 12 -\n\x0cOIG Analysis: OIG reviewed ITM-2004-04 Computer Incident Response Team Policy dated April 15,\n2004. The policy defines when a security incident begins and the steps the IRT should take to contain and\ninvestigate the incident. The incident response steps are:\n\n    1.   Preserve and collect data related to the event.\n    2.   Assign a severity level to the event.\n    3.   Determine if data or business continuity is at risk.\n    4.   Identify the primary incident handler.\n    5.   Contain and eradicate the threat.\n    6.   Perform forensic analysis and secure evidence.\n    7.   Follow up with external organizations, if necessary.\n    8.   Create an executive and technical incident report.\n\nThe OIG reviewed two incident response reports for events that occurred on July 22, 2004, and March 22,\n2005. The reports indicated the following about FTC incident response:\n\n    \xe2\x80\xa2    US CERT is notified when necessary.\n    \xe2\x80\xa2    Security and logging tools such as Nessus, iPrism, virus, and spyware checks are run and/or\n         reviewed to assist in forensics investigation and evidence collection.\n    \xe2\x80\xa2    Procedures to identify, contain, investigate, correct, and document incidents are followed. When\n         an incident response step is not followed or is ineffective, the issue is noted and corrective action\n         identified.\n    \xe2\x80\xa2    A \xe2\x80\x9clessons learned\xe2\x80\x9d analysis of the incident and response are conducted after the incident is\n         completed.\n\nOIG Status: Closed\n\n\nWeakness 20: There is no vulnerability scanning policy for the FTC network\n\nSource: Unisys Infrastructure Risk Assessment 6/25/2004\n\nITM Actions: ITM approved the FTC Scanning Policy on March 17, 2004.\n\nOIG Analysis: The OIG confirmed that the Vulnerability Scanning Policy was approved on March 17,\n2004. Review of the policy revealed that it identifies scanning priorities and IT resources affected by the\nscans and policy. The policy also states that:\n\n    \xe2\x80\xa2    The staff will not conduct denial of service activities.\n    \xe2\x80\xa2    The CIO must explicitly authorize searches of user files, e-mails, or other areas deemed necessary\n         to a security investigation.\n    \xe2\x80\xa2    Corrective actions are identified.\n\nOIG Status: Closed\n\n\n\n\n                                                  - 13 -\n\x0cWeakness 21: The security staff does not have multiple tools (only one on-site, but not\nimplemented) with which to perform continuous vulnerability assessments\n\nSource: Unisys Infrastructure Risk Assessment 6/25/2004\n\nITM Actions: ITM installed ISS Proventia devices on the FTC network. Additionally, FTC purchased\neEye Retina to use for additional scanning.\n\nOIG Analysis: The OIG confirmed the installation of Proventia software in a previous review. ITM\nprovided purchase receipts for eEye Retina, but we did not verify its installation.\n\nOIG Status: Closed\n\n\nWeakness 22: A default password was found on CISCO routers for Hot Standby Routing Protocol\n(HSRP) service\n\nSource: Agency Review\n\nITM Actions: ITM changed the default passwords on the CISCO routers.\n\nOIG Analysis: The OIG reviewed Vantive ticket nos. 293879 and 198964. These tickets indicated that\nthe corrective actions were complete and the tickets closed. Additionally, a screen shot of the Intrusion\nDetection System showed a search for HSRP_Default_Passwords. The screen capture revealed no default\npasswords.\n\nOIG Status: Closed\n\n\nWeakness 23: Default passwords used to view video images captured by security cameras\n\nSource: Agency Review\n\nITM Actions: The passwords to the security captures were changed.\n\nOIG Analysis: The OIG reviewed the Vantive ticket generated for correcting the password vulnerability\nto confirm that the default passwords were changed. Review of AXIS camera screen captures showed that\nthere are password controls in place, and these controls appear to block incorrect passwords.\n\nOIG Status: Closed\n\n\n\n\n                                                - 14 -\n\x0cWeakness 24: No backup for DNS functionality\n\nSource: Agency Review\n\nITM Actions: ITM set up backup servers for the primary UNIX and Windows Domain Name Servers\n(DNS).\n\nOIG Analysis: Inspection of the FTC Data Center confirmed that backup Unix and Windows servers\nexist. A review of the configuration was also verified. There are two Unix servers: Dalmatian.FTC.gov\n(master server) and Akita.FTC.gov (secondary server). These servers are currently Sun Enterprise 250\nplatforms, but they will be replaced with two Sunfire V120 servers in the near future. If Dalmatian fails\nAkita will automatically take over. On the Windows DNS, both servers run in parallel and are on two\nseparate circuits. If the main server fails the secondary server will take over. The primary Windows DNS\nserver is called FTC-DNS and the backup is called Standby.\n\nOIG Status: Closed\n\nRecommendation 3: The OIG recommends that ITM document its document- recovery procedures,\nrecord and store passwords in a secure location and maintain copies or backups of all pertinent files that\nmay need to be restored.\n\n\n\n\n                                                - 15 -\n\x0c'